New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce https everywhere #1765
Enforce https everywhere #1765
Conversation
Should we care about this in current confs?
I've had a quick look, and might need to revert this one
Or maybe not? It appears in a bunch of places. |
This seems overzealous. We should just focus on content. At first glance I noticed it broke the SVG's on the conf sites, somehow. |
Probably, especially if it breaks things. :-p But we should also look at easy changes that make linting the content easier in the long run, which I'd file this under, even if this specific example is a no-go. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this approach is much too wide - it breaks SVGs because the header is changed (easy fix there), we don't know which of our external links support HTTPS so may be breaking all kinds of links, and indeed should not be touching analytics javascripts.
We could limit it to internal links, but then the bigger and easier win is to increase our HSTS duration which is now only 1337 seconds. That secures both internal and external inbound links in a robust way.
As an optional add on to #1764 I just changed everything to https, including inside SVGs and what have you, and turned on validation. 🤷♂️